An apparatus and associated method are provided for reducing a security risk in a networked computer system architecture. The method comprises receiving at a security computer external vulnerability data from an external source regarding vulnerabilities associated with an attack vector for configuration item (CI) data related to a (CI) device, of the networked computer system. The security computer accesses a configuration management database (CMDB) and the CI data related to the physical device is read. Trust zone data associated with the CI device is determined utilizing the CMDB, and the security computer performs a vulnerability calculation for the CI device utilizing the external vulnerability data and associated trust zone data. This is also done for a second CI device. The vulnerability calculations for both are compared and this comparison serves as a basis for prioritizing an action to be taken on the CI device or associated other network components.
Legal claims defining the scope of protection, as filed with the USPTO.
1. An apparatus for reducing a security risk in a networked computer system architecture, comprising: a processor; a network interface comprising a communications port connected to a network; a memory accessible by the processor and comprising a security risk module that comprises instructions executable by the processor; a configuration management database (CMDB) that comprises a plurality of configuration item records, each configuration item record comprising data related to components making up the networked computer system, wherein the configuration management database is accessible by the processor; wherein the security risk module comprises instructions that: receives, via the network interface, external vulnerability data from a source external to the networked computer system regarding vulnerabilities associated with an attack vector for configuration item (CI) data related to a physical device, defined as a CI device, of the networked computer system; accesses, with the security computer, the CMDB and reads the CI data related to the physical device; determines, using a processor of the security computer, trust zone data associated with the CI device utilizing the CMDB, the trust zone data comprising a delineation of the CI device based on risk in light of various attack vectors; performs a vulnerability calculation for the CI device utilizing the external vulnerability data and the trust zone data associated with the CI device; performs a second vulnerability calculation for a second CI device utilizing the external vulnerability data and the trust zone data associated with the second CI device; compares the vulnerability calculation for the CI device with the second vulnerability calculation for a second CI device; and prioritizes an action to be taken on the CI device or an associated other network component based on the comparison.
2. The apparatus of claim 1 , wherein the vulnerability calculation is based on a user of the CI device or a location of the CI device.
3. The apparatus of claim 1 , wherein the memory comprises an executable script, a series of sequentially executed rules, or data contained within a security incident record that is utilized for the vulnerability calculation.
4. The apparatus of claim 1 , wherein the CMDB comprises interconnection data for connections between the CI device and other CI devices.
5. The apparatus of claim 1 , wherein the trust zone data comprises data for routers or other perimeter defense components.
6. The apparatus of claim 1 , wherein the trust zone data is defined by other network components associated with the CI device.
7. The apparatus of claim 1 , wherein the external vulnerability data comprises National Institute of Standards and Technology National Vulnerability Database data or third-party vulnerability data.
8. A method for reducing a security risk in a networked computer system architecture, comprising: receiving, via a network interface of a security computer, external vulnerability data from a source external to the networked computer system regarding vulnerabilities associated with an attack vector for configuration item (CI) data related to a physical device, defined as a CI device, of the networked computer system; accessing, with the security computer, a configuration management database (CMDB) and reading the CI data related to the physical device; determining, using a processor of the security computer, trust zone data associated with the CI device utilizing the CMDB, the trust zone data comprising a delineation of the CI device based on risk in light of various attack vectors; performing a vulnerability calculation for the CI device utilizing the external vulnerability data and the trust zone data associated with the CI device; performing a second vulnerability calculation for a second CI device utilizing the external vulnerability data and the trust zone data associated with the second CI device; comparing the vulnerability calculation for the CI device with the second vulnerability calculation for the second CI device; and prioritizing an action to be taken on the CI device or an associated other network component based on the comparison.
9. The method of claim 8 , wherein the vulnerability calculation is based on a category of the CI device.
10. The method of claim 9 , wherein the category is a user of the CI device.
11. The method of claim 9 , wherein the category is a location of the CI device.
12. The method of claim 8 , wherein the vulnerability calculation is based on an executable script.
13. The method of claim 8 , wherein the vulnerability calculation is based on a series of sequentially executed rules.
14. The method of claim 8 , wherein the vulnerability calculation is based on data contained within a security incident record.
15. The method of claim 8 , wherein the CMDB comprises interconnection data for connections between the CI device and other CI devices.
16. The method of claim 8 , wherein the trust zone data comprises data for routers or other perimeter defense components.
17. The method of claim 8 , wherein the trust zone is defined by the other network components associated with the CI device.
18. The method of claim 8 , wherein the external vulnerability data comprises National Institute of Standards and Technology National Vulnerability Database data or third-party vulnerability data.
19. The method of claim 8 , comprising: taking the action on the CI device or its associated other network component before taking action on the second CI device or its associated other network component, thereby efficiently reducing a security risk of the CI device in the networked computer system.
20. A non-transitory computer-readable storage medium, comprising executable instructions that, when executed by a processor, facilitate performance of operations for reducing a security risk in a networked computer system architecture, the operations comprising: receiving, via a network interface of a security computer, external vulnerability data from a source external to the networked computer system regarding vulnerabilities associated with an attack vector for configuration item (CI) data related to a physical device, defined as a CI device, of the networked computer system; accessing, with the security computer, a configuration management database (CMDB) and reading the CI data related to the physical device; determining, using a processor of the security computer, trust zone data associated with the CI device utilizing the CMDB, the trust zone data comprising a delineation of the CI device based on risk in light of various attack vectors; performing a vulnerability calculation for the CI device utilizing the external vulnerability data and the trust zone data associated with the CI device; performing a second vulnerability calculation for a second CI device utilizing the external vulnerability data and the trust zone data associated with the second CI device; comparing the vulnerability calculation for the CI device with the second vulnerability calculation for the second CI device; and prioritizing an action to be taken on the CI device or an associated other network component based on the comparison.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 12, 2016
July 3, 2018
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.